Cloudflare pages security issues highlighted by 3rd party testing tool

Hello there,

I am hosting static site on Cloudflare pages and i run a security test and the test reveal few issues and recommendations. However it seems like most of these recomendations are not in my hand or maybe they are i am not sure?

Any suggestions on how to fix or ignore these issues. if you reccomending to ignore then please suggest why should i ignore these issues or recomendations.

thanks


That was certainly a scanner. You can safely ignore the results and delete the site from your browser history.

3 Likes

Hello @cscharff

i am not sure what you mean? delete the site from my browser? it is not in my browser but an online tool where you add the web url and it scan and show security score along with some reccomendations.

when hosting previously on plesk i was easily able to hide server details and close ports which i am not using from the dashboard without terminal.

with Cloudflare can i atleast apply few or i have to ignore all reccomendations.

thanks

Let’s take a look at your screenshot:

Highlighted warning of (paraphrasing) “Hey, the server name says Cloudflare. You’ve exposed implementation details. You should delete it.”

Scroll down a bit: (paraphrasing) “Several ports are open and they say ‘Cloudflare’. We’ll give you a 0.0 badness score here. You’re fine.”

I’d say their warnings aren’t well thought out.

1 Like

Hi @sdayman

this is information not warning, they are simply informing that all these ports are open i do not know if it suppose to be closed or not.

this recomendation is known since many years usually on vps etc i always hide this info so it add 1 additional step towards hacking the site.

the 3 medium and 1 low warnings are my concerns related to ssl

thanks

If those ports (i.e. HTTP - 80/8080, HTTPS - 443/8443) were blocked, how would one view content that’s on Cloudflare Pages?

2 Likes

Hi @jwds1978

If i am using https i suppose even if i do not need the port HTTP - 80/8080 i still cannot close because other people might use it also as it is on a shared server. so i can simply ignore the port info.

do you know what is wrong with the ssl and if there is a way to hide server info in header when using Cloudflare pages?

thanks

The tool is not useful, so no reason to have it’s URL cached on your browser.

You can pay Cloudflare to remove the header which identifies it as Cloudflare. That is an option on the Enterprise plan. However paying $60k+ a year to obfuscate something that can easily be determined in other ways seems like a waste.

5 Likes

A Server header that looks like this: Server: Apache/2.4.2 (Unix) PHP/4.2.2 MyMod/1.2 is exposing details. A response that includes Server: cloudflare is exposing nothing material, and nothing that is not already obvious to a potential attacker.

If you want to create CAA records instructions are available here: https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/caa-records/. It looks like they are making up the CVSS Severity. The lack of CAA records is not a TLS configuration issue. (The failure to properly use CAA records by a Certificate Authority is a serious issue, but such a scanner cannot detect such issues.)

If you want to control the Cipher Suites you can use ACM. Note that in order to modify the ciphers with Cloudflare Pages you also need to upload a Custom Certificate.

Secure Renegotiation is supported when required. If you have specified only one version of TLS, then renegotiation does not matter. A good configuration with Cloudflare would set the Minimum TLS to v1.2, and enable v1.3 also.

You can create a WAF rule to block all requests to ports other than 80 and 443, but you cannot close them completely. Even if you do not create that WAF rule, if you do not have the ports open on your Origins it makes little difference.

4 Likes

My point was that on the one hand, they say that identifying the server as Cloudflare is bad. But on the other hand, ports announcing that they identify as Cloudflare are no big deal. It’s clearly not an intelligent test.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.